From mboxrd@z Thu Jan 1 00:00:00 1970 From: sup@chrislee.dhs.org (Chris Lee) Date: Thu, 17 May 2007 17:24:11 -0400 Subject: [sup-talk] GPG Support Message-ID: Jeff, GPG support is coming along nicely right now. There are some shortcomings my speedy implementation that I need feedback on. 1. If all email addresses of an email have keys, then, and only then, do I encrypt the email - this means if you have highly sensitive info, and you miskey an address, whoops it goes out unencrypted * I need a way to know if the user want to encrypt and/or sign an email and then alert him/her if I don't have all the required keys. 2. I don't sign any email right now :( 3. There is no mechanism to lookup keys from keyservers (e.g., --recv-key) * We'll probably need a separate Manager to handle this 4. The sources.yaml file is pgp encrypted now. However, it'd be nice to extend protections to non-pgp users. Should I use openssl to encrypt the config file and then have the pgp password(s) in there? 5. I only use one GPG private key, which is not tied to the sending address (it's specified in config.yaml). This should be easy to fix if I store all the passphrases in an encrypted file. * Do you need this feature? 6. You'll have to encrypt your sources.yaml file manually before the first time you launch sup with pgp support. * add :gpgkey: to config.yaml :accounts: :default: :name: Chris Lee :signature: /Users/chris/.signature :sendmail: /usr/local/bin/esmtp -t :email: 3v1l at n0spz.net :alternates: [] :gpgkey: 14E44DBF * gpg -a -e -r yourself sources.yaml * cp sources.yaml.asc sources.yaml * rm sources.yaml.bak * is there a better way to do this transition? 7. This totally breaks sup-add, sup-sync, and anything else that reads sources.yaml right now * this should also be easy to fix Chris